Required or requested, a lot of employees are now choosing to work from places with nary a cubical in sight. Instead of going to an office with its physical isolation and beefy protective firewall, employees are going to coffee shops, libraries, private offices, or laying on their couch to start their workday. In addition, the avalanche of Bring Your Own Devices (BYOD) asking to use your company’s data isn’t slowing down any time soon. This all adds up to a very busy IT department.
How do you secure employees who are never in the office? How do you provide them with the apps they need to be productive? What happens when your company grows, and the number of devices to manage grows even more? What about your international employees? How do I prevent terminated employees from taking company data with them when they leave? If you’re asking yourself these questions, then you are in the right place.
Microsoft Endpoint Manager is a cloud-based device management solution that answers all of those questions. It protects corporate data, manages BYOD software, and manages the hardware and software on company devices. In addition, it helps to deploy new devices, connects with Azure Active Directory for authentication and role-based access controls, and protects against cyberthreats with Microsoft Defender for Endpoint.
Microsoft Endpoint Manager consists of six parts that combine to handle all parts of device management.
1. Azure Active Directory (AAD) – Universal platform to manage and secure identities.
The bedrock of endpoint management is being able to remotely give specific persons the ability to access data and devices. Azure Active Directory provides access to external resources such as Microsoft 365 and thousands of SaaS applications like Adobe Creative Cloud, Mailchimp, and Dropbox. It also works with internal resources as well. Internal apps and internally developed cloud apps are able to use AAD for authentication of users.
AAD has many more features besides identity management. A popular feature is multifactor authentication based on conditional access. By setting this up you can require users to use multifactor authentication based on where they are (are they in the office?), or what apps they are requesting access to.
AAD Premium 1 and 2 come with more advanced features like Privileged Identity Management (PIM). PIM lets you manage, control, and monitor user roles within AAD, Azure, Microsoft 365, and Intune, among others. PIM allows you to set the duration of the user’s access and give users just-in-time permission elevation. As an example, if you have a user who needs the Global Administrator role for 8 hours using PIM that user will be able to request the elevation, have access for eight hours, and automatically have the elevation removed from his user at the end of that time.
For more information about Azure AD: What is Azure Active Directory? – Azure Active Directory | Microsoft Docs
2. Intune – Cloud-based unified management
One of the cores of Microsoft Endpoint Manager is Intune. With Intune, there are two major categories of management: Mobile Device Management (MDM) and Mobile Application Management (MAM). There are also two different types of devices that work with Intune: corporate devices, and personal devices (BYOD).
Corporate devices can be managed on the device and app level. Device settings include pushing certificates to allow access to the company wifi, requiring specific firewall settings, requiring hard drives to use Bitlocker, and requiring the use of Windows Hello on devices that support it.
App settings can include remote installation of required apps (Office, for example), a managed update policy, app protection policies (data protection, requirements for access, etc.), and required apps vs. recommended apps (what apps must be installed vs. what apps can the user choose to install).
Intune’s features like Wipe, Sync, and Fresh Start allow IT to remove company data, reapply device policies, and refresh all apps on the device. It is just what IT wants when managing all of those remote devices.
For more information about Intune: What is Microsoft Intune | Microsoft Docs
3. Windows Autopilot
One of the most labor-intensive tasks in IT is device deployment and reconfiguring returned devices. Windows Autopilot seeks to make that a thing of the past.
Autopilot is a group of technologies that help IT customize device deployment right from the factory. The idea is to allow a local IT department to support a global workforce. With Autopilot IT never needs to touch the laptop or phone before sending it to the user.
Autopilot allows for the resetting of devices remotely. For example, if a remote user is having a software problem IT can click one button and fully reset the device, even reinstalling Windows. With settings and app policies configured the device will be ready for work in a fraction of the time it would take using traditional methods.
For more information about Windows Autopilot: Overview of Windows Autopilot | Microsoft Docs
4. Microsoft Defender for Endpoint
Microsoft Defender for Endpoint is a multifaceted tool to help combat today’s advanced threat landscape. It is a security platform to prevent, detect, investigate, and respond to advanced threats.
Included in Defender for Endpoint are features like: Threat and Vulnerability Management, Attack Surface Reduction, Next-generation Protection, and Endpoint Detection and Response.
Used in conjunction with Intune and the rest of the Defender suite businesses can integrate their security solution on-premises as well as in the cloud.
For more information about Microsoft Defender for Endpoint: Microsoft Defender for Endpoint | Microsoft Docs
5. Endpoint Analytics
Endpoint Analytics allows you to see and measure how your company is working and the quality of the experience they are having. It allows you to monitor devices for potential hardware and software problems.
Is a user experiencing a problem starting an app? There may be a number of potential solutions including legacy hardware, misconfigured software, and changes caused by updates. Endpoint Analytics will help diagnose the issue and help resolve it with proactive remediation.
For more information about Endpoint Analytics: What is Endpoint analytics? – Microsoft Endpoint Manager | Microsoft Docs
6. Microsoft Endpoint Configuration Manager
Do you use Configuration Manager as an on-premises device manager? There is no need to immediately switch to Endpoint Manager just yet. Microsoft has put a lot of effort to integrate SCCM and Endpoint Manager so that they work together to solve complex device management requirements.
Configuration Manager has been used by large organizations to image computers, configure settings, and control access to its devices under management. As Endpoint Manager brings on more features and capabilities there may be a slow shift from Configuration Manager to Endpoint Manager as the cost and complexity of legacy systems become prohibitive.
For more information about Microsoft Endpoint Configuration Manager: Microsoft Endpoint Configuration Manager FAQ – Configuration Manager | Microsoft Docs
Why you need it
Today’s work environment is more complex than ever before. Luckily, we have tools like Microsoft Endpoint Manager to help our IT departments keep a handle on how and where company resources are used.
By deploying Endpoint Manager in your company, you will be able to secure your devices as well as make your workforce more efficient. Using device and app profiles you will be able to install required apps and keep up to date with the latest security defenses via Defender for Endpoint. Your IT department will be over the moon knowing that Autopilot will take care of provisioning and deploying devices to users no matter where they are.
How do you manage your companies’ devices currently?
Contact us for a free consultation with a Microsoft professional.